Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
AnalysisAI
Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows a local, unprivileged attacker to exhaust system resources and crash the hosting application. The CVSS vector confirms local access is required, limiting exposure primarily to environments where untrusted users share process space with SDK-consuming applications, such as multi-tenant systems or services that process attacker-supplied C2PA credential data from disk or local input. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
The affected library implements Adobe's C2PA (Coalition for Content Provenance and Authenticity) standard for embedding and verifying Content Credentials metadata into digital media. Two package variants are affected: the web-oriented binding (c2pa-web) and the core library (c2pa-v), both confirmed via CPE cpe:2.3:a:adobe:cai_content_credentials:*:*:*:*:*:*:*:*. CWE-400 (Uncontrolled Resource Consumption) indicates the library fails to impose adequate limits on memory allocation, CPU cycles, or processing iterations when handling certain inputs - a common failure mode in parsers and deserializers that process externally-supplied structured data formats such as the C2PA manifest embedded in media files. Without rate limiting or size bounds, a crafted input can cause the library to spin indefinitely or allocate unbounded memory, exhausting host system resources.
RemediationAI
Consult Adobe Security Bulletin APSB26-61 (https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html) for the vendor-confirmed patched release versions, as the exact fixed version numbers were not enumerated in the available advisory data and should not be inferred. Upgrade c2pa-web and c2pa-v packages to the versions specified in APSB26-61 as soon as possible. As a compensating control prior to patching, restrict which users or processes can supply input to SDK-consuming components - for example, enforce allowlist-based file validation upstream of any C2PA parsing logic, and consider wrapping SDK calls with process-level resource limits (e.g., ulimit on Linux, Job Objects on Windows) to cap memory and CPU consumption per invocation. Note that resource limit wrappers may cause application instability under legitimate heavy load, so tune thresholds carefully against normal operational profiles.
More in Cai Content Credentials
View allDenial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab
Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a
Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows
Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35845
GHSA-jp5j-q2jw-fhpf